]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/transmission.nix
knot: sourcephile.fr: setup lebureau as a secondary NS
[sourcephile-nix.git] / hosts / losurdo / transmission.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 inherit (config.services) transmission;
4 inherit (config.users) users;
5 netns = "riseup";
6 in
7 {
8 users.groups.transmission.members = [
9 users."julm".name
10 users."sevy".name
11 ];
12 networking.nftables.ruleset = lib.mkIf config.services.nebula.networks."sourcephile.fr".enable ''
13 table inet filter {
14 chain input-neb-sourcephile {
15 tcp dport ${toString transmission.settings.rpc-port} \
16 counter accept comment "transmission: rpc"
17 }
18 }
19 '';
20 services.netns.namespaces.${netns}.nftables = ''
21 table inet filter {
22 chain input {
23 meta l4proto { udp, tcp } \
24 th dport ${toString transmission.settings.peer-port} \
25 counter accept comment "transmission"
26 }
27 chain output {
28 skuid ${transmission.user} counter accept comment "transmission"
29 }
30 }
31 '';
32 fileSystems."/var/lib/transmission" = {
33 device = "${hostName}/var/torrents";
34 fsType = "zfs";
35 };
36 systemd.services.transmission = {
37 after = [
38 "netns-${netns}.service"
39 "zfs.target"
40 ];
41 requires = [
42 "netns-${netns}.service"
43 "zfs.target"
44 ];
45 startAt = "20:00:00";
46 unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
47 serviceConfig.BindReadOnlyPaths = [ "/etc/netns/${netns}/resolv.conf:/etc/resolv.conf" ];
48 serviceConfig.PrivateNetwork = true;
49 #serviceConfig.NetworkNamespacePath = "/var/run/netns/${netns}";
50 };
51 systemd.sockets.proxy-to-transmission = {
52 wantedBy = [ "sockets.target" ];
53 listenStreams = [ "10.0.0.2:9091" ];
54 socketConfig.FreeBind = true;
55 };
56 systemd.services.proxy-to-transmission = {
57 requires = [ "transmission.service" ];
58 after = [ "transmission.service" "proxy-to-transmission.socket" ];
59 unitConfig.JoinsNamespaceOf = [ "netns-${netns}.service" ];
60 serviceConfig = {
61 ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd 127.0.0.1:9091";
62 PrivateNetwork = true;
63 PrivateTmp = true;
64 };
65 };
66 systemd.services.stop-transmission = {
67 serviceConfig.Type = "oneshot";
68 unitConfig.Conflicts = [ "transmission.service" ];
69 startAt = "06..19:0,15,30,45:00";
70 script = "true";
71 };
72 systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [
73 "settings.json:${transmission/settings.json.cred}"
74 ];
75 services.transmission = {
76 enable = true;
77 performanceNetParameters = true;
78 # FIXME: need latest systemd to exist in ExecStartPre=
79 credentialsFile = "/run/credentials/transmission.service/settings.json";
80 webHome = pkgs.flood-for-transmission;
81 package = pkgs.transmission_4;
82 settings = {
83 message-level = 2;
84 download-dir = "/var/lib/transmission/downloaded";
85 incomplete-dir = "/var/lib/transmission/.incoming";
86 incomplete-dir-enabled = true;
87 watch-dir = "/var/lib/transmission/.torrents";
88 watch-dir-enabled = true;
89 trash-original-torrent-files = false;
90 preallocation = 0;
91 umask = 7; # 007 octal, in decimal!
92 download-queue-enabled = true;
93 download-queue-size = 5;
94 peer-id-ttl-hours = 6;
95 peer-limit-global = 1000;
96 peer-limit-per-torrent = 100;
97
98 peer-port = 6882;
99 peer-port-random-on-start = false;
100 encryption = 1;
101 dht-enabled = true;
102 lpd-enabled = false;
103 pex-enabled = true;
104 port-forwarding-enabled = true;
105 scrape-paused-torrents-enabled = false;
106 peer-socket-tos = "lowcost";
107 queue-stalled-enabled = true;
108 queue-stalled-minutes = 30;
109 speed-limit-down-enabled = false;
110 speed-limit-up = 50;
111 speed-limit-up-enabled = true;
112 alt-speed-enabled = true;
113 alt-speed-time-enabled = true;
114 alt-speed-down = 1000;
115 alt-speed-up = 0;
116 alt-speed-time-day = 127; # all days. 65; # weekend only
117 alt-speed-time-begin = 360; # 06h00 local time
118 alt-speed-time-end = 1260; # 21h00 local time
119 ratio-limit = 4;
120 ratio-limit-enabled = true;
121
122 rpc-enabled = true;
123 rpc-bind-address = "127.0.0.1";
124 rpc-port = 9091;
125 rpc-whitelist = "127.0.0.1,${hostName}.sp,oignon.sp";
126 rpc-whitelist-enabled = true;
127 rpc-host-whitelist = "localhost,${hostName}.sp";
128 rpc-host-whitelist-enabled = true;
129 rpc-authentication-required = true;
130 };
131 };
132 }